qlge: Avoid reading past end of buffer
authorKees Cook <keescook@chromium.org>
Fri, 5 May 2017 22:34:34 +0000 (15:34 -0700)
committerDavid S. Miller <davem@davemloft.net>
Mon, 8 May 2017 18:41:42 +0000 (14:41 -0400)
Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, use strncpy() which will fill the trailing bytes
with zeros.

This was found with the future CONFIG_FORTIFY_SOURCE feature.

Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/qlogic/qlge/qlge_dbg.c

index 829be21f97b21dd694c6cad732b06a899be106c8..28ea0af89aefeb2a733801af03a21b20d269cb37 100644 (file)
@@ -765,7 +765,7 @@ int ql_core_dump(struct ql_adapter *qdev, struct ql_mpi_coredump *mpi_coredump)
                sizeof(struct mpi_coredump_global_header);
        mpi_coredump->mpi_global_header.imageSize =
                sizeof(struct ql_mpi_coredump);
-       memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
+       strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
                sizeof(mpi_coredump->mpi_global_header.idString));
 
        /* Get generic NIC reg dump */
@@ -1255,7 +1255,7 @@ static void ql_gen_reg_dump(struct ql_adapter *qdev,
                sizeof(struct mpi_coredump_global_header);
        mpi_coredump->mpi_global_header.imageSize =
                sizeof(struct ql_reg_dump);
-       memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
+       strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
                sizeof(mpi_coredump->mpi_global_header.idString));